Microsoft has acquired GitHub. Decentraleyes has left GitHub. Welcome to its new home!

To participate, please register, or sign in with an existing GitLab.com, Bitbucket, or GitHub account.

Past contributions on GitHub? Be sure to reclaim your Comments, Issues, and Pull Requests.

Commit cf21afe8 authored by Thomas Rientjes's avatar Thomas Rientjes

Implement cookie and origin sanitation

parent c9fc15e7
......@@ -85,8 +85,10 @@ var Interceptor = new Class({
return;
}
// Remove referer header from request.
// Remove sensitive headers from the request.
httpChannel.setRequestHeader('Referer', null, false);
httpChannel.setRequestHeader('Origin', null, false);
httpChannel.setRequestHeader('Cookie', null, false);
// Convert the original request URI to a local target.
target = requestAnalyzer.getLocalTarget(httpChannel.URI.host, httpChannel.URI.path);
......
......@@ -78,8 +78,11 @@ exports.isValidCandidate = function (httpChannel) {
// If the request initiator could be determined and is whitelisted.
if (initiatorDomain && whitelistedDomains[_normalizeDomain(initiatorDomain)]) {
// Remove referer header from request.
// Remove sensitive headers from the request.
httpChannel.setRequestHeader('Referer', null, false);
httpChannel.setRequestHeader('Origin', null, false);
httpChannel.setRequestHeader('Cookie', null, false);
return false;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment